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Abstract 

This paper describes how to determine the parameter values of the chaotic Lorenz 
system from one of its variables waveform. The geometrical properties of the system 
are used firstly to reduce the parameter search space. Then, a synchronization-based 
approach, with the help of the same geometrical properties as coincidence criteria, 
is implemented to determine the parameter values with the wanted accuracy. The 
method is not affected by a moderate amount of noise in the waveform. As way 
of example of its effectiveness, the method is applied to figure out directly from 
the ciphertext the secret keys of two-channel chaotic cryptosystems using the vari- 
able synchronization signal, based on the ultimate state projective chaos 
synchronization. 



1 Introduction 



The feasibility of enslaving two chaotic systems [1] opened the possibility 
of using the signals generated by chaotic systems as carriers for analog and 
digital communications and soon aroused great interest as a potential means 
for secure communications [2]. It is assumed in the literature that chaotic 
modulation is an adequate means for secure transmission, because chaotic 
maps present some properties, such as sensitive dependence on parameters 
and initial conditions, ergodicity, mixing, and dense periodic points, that make 
them similar to pseudo random noise [3], which has been used traditionally as 
a masking signal for cryptographic purposes. 
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For over a decade a number of secure communication systems have been pro- 
posed in which the plaintext message signal m(t) was concealed into the 
chaotic signal by simply adding it to a system variable u{t) of the sender 
chaotic generator [4,5,6]; the receiver had to synchronize with the sender to 
regenerate the chaotic signal u(t) and thus recover the message m(t). This un- 
complicated scheme is usually broken by setting apart u(t) and m(t) signals 
using elemental high pass filtering [7,8,9], or by directly estimating the chaotic 
signal u(t) via Short's NLD method [10,11]. 

To avoid this weakness a more elaborated mixing procedure was employed 
in some recently proposed chaotic cryptosystems: a two-channel transmission 
technique was used, where an unmodified chaotic system variable was trans- 
mitted using the first channel, while a second channel conveyed a signal that 
was a complicated non-linear combination of the plaintext and another system 
variable, from which it was impossible to retrieve both separately. The first 
channel served as synchronizing signal for the chaotic system receiver, then 
the remaining chaotic system variables were generated and employed at the 
receiver end to retrieve the plaintext from the second channel signal, using the 
same system parameters values at sender and receiver [12,13,14]. 

In the vast majority of chaotic cryptosystems the security relies on the secrecy 
of the system parameters, which play the role of secret key, hence the deter- 
mination of the system parameters from the chaotic ciphertext is equivalent 
to breaking the system. 

The contribution of this work is double. First, a novel determination method 
of the unknown parameters of a Lorenz system, when the waveform of one of 
its variables is known, is presented in Sec. 2. Then, in Sees. 3 and 4, it is shown 
how this method can be applied to break some two-channel cryptosystems that 
use the Lorenz chaotic system. Finally, Sec. 6 concludes the paper. 



2 Parameter determination of the Lorenz system 

Since 1963 the Lorenz system [15] has been a paradigm for chaos. Conse- 
quently, it has been predominantly used in the design of chaotic cryptosys- 
tems. It is defined by the following equations: 



x = a(y- x ), 
y = rx — y — xz, 
z = xy — bz. 




where a, r and b are fixed parameters. 
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The proposed approach to the problem of Lorenz system parameter deter- 
mination is based on a homogeneous driving synchronization mechanism [16] 
between a drive Lorenz system and a response subsystem that is a partial du- 
plicate of the drive system reduced to only two variables, driven by the third 
variable. 

Projective synchronization (PS) is an interesting phenomena firstly described 
by Mainieri and Rehacek [17]. It consists of the synchronization of two partially 
linear coupled chaotic systems, sender and receiver, in which the amplitude 
of the slave system is a scalar multiple, called scaling factor, of that of the 
sender system in the phase space. The original study was restricted to three- 
dimensional partially linear systems. Xu and Li [18] showed that PS could 
be extended to general classes of chaotic systems without partial linearity, by 
means of the feedback control of the slave system. 

The response system is defined by the following equations, in which variable 
z(t) is used as driving signal: 

x r & [y r x r ), 

where a* and r* are fixed parameters and the drive variable is z. 

As was shown in [16, §111] this drive-response configuration has two condi- 
tional Lyapunov exponents, the first one is fairly negative while the second 
one is of small positive value, thus leading to a slightly unstable system. The 
consequence is that if the parameters of drive and response systems are identi- 
cal, then the drive and response variables will become identical (for complete 
synchronization) or differ only in an scaling factor (for projective synchroniza- 
tion), that depends on the initial conditions of the drive and response systems. 
However, if the parameters are not exactly equal, then the drive and response 
variables will be completely different. 

When the drive and response systems parameters are equal, the variable x r (t) 
will be easily recognizable as the familiar waveform of a Lorenz system, by a 
supposed human skilled observer. But if drive and response systems parame- 
ters are different, the waveforms generated by the response system will be a 
nonsense mesh some seconds after the beginning of driving, due to the sen- 
sitive dependence of chaotic systems on parameter values. This phenomenon 
could be interpreted by the observer as the consequence of a wrong parameter 
guessing. 

This work describes a criterion, based on the study of some geometric proper- 
ties of the Lorenz system variables waveforms, to automatically decide if the 
response system parameters coincide with the drive system parameters or not, 
by means of the analysis of the x r (t) waveform of the response system. 
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Fig. 1. Lorenz chaotic attractor: (a) parameters r = 45.6, a = 16 and 6 = 4; 
(b) parameters r = 100.3, a = 16 and 6 = 4, showing irregular cycles that not 
surround the fixed points. The position of the fixed points C + and C~ is indicated 
by asterisks. 

This method of recovering the unknown system parameters is applicable in 
the case of cryptosystems that use the variable z(t) as the driving signal like 
[13,14]. But it is not applicable to other two-channel cryptosystems driven by 
x(t) or y(t), like [12], because in those cases both Lyapunov exponents are 
negative and the drive-response configuration is stable, in despite of being the 
drive and response parameters moderately different. In those cryptosystems 
another efficient method of revealing the Lorenz system parameters described 
by Stojanovski et al. is aplicable [20]. 

To minimize the computer workload as much as possible, the parameter search 
space is previously reduced to a narrow range by means of a simple measure 
upon the z(t) waveform. Then, all the unknown parameter values are deter- 
mined with the desired accuracy. 



2.1 Lorenz attractor's geometrical properties 



According to [15] the Lorenz system has three fixed points. For < r < 1 the 
origin of coordinates is a globally stable fixed point; for 1 < r < r c the origin 
becomes unstable giving rise to two other stable twin points C + and C~, of 
coordinates = (±y / 6(r — 1), ±y / 6(r — 1), (r — 1)), being r c a critical value 
denned as: 

r - (7((7 + b + 3) (3) 

When r exceeds the critical value r c , the system becomes unstable, and its 
behavior is chaotic. 
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The Fig. 1 (a) shows the well known double scroll Lorenz attractor formed by 
the projection on the x — z plane, in the phase space, of a trajectory portion 
extending along 10 sec, where the parameters are r = 45.6, a = 16 and 6 = 4, 
the initial conditions are x = 13.3566, y = 13 and z = 44.6, the fixed points 
C + and C~ are indicated by asterisks. 

It is a well known fact that the Lorenz attractor trajectory follows two loops, in 
the vicinity of the fixed points C + and C~, with a spiral-like shape of steadily 
growing amplitude, jumping from one to the other, at irregular intervals, in a 
random-like manner though actually deterministic [15]. The trajectory always 
jumps from a cycle of relative high amplitude to another on the opposite loop 
generally of smaller amplitude. The spiraling trajectory may pass arbitrarily 
near to the fixed points, but never reach them while in chaotic regime. 

Definition 1. The portions of the attractor trajectory that consist of a revo- 
lution of 360° beginning after a change of sign of x and y are irregular cycles. 
The portions of the trajectory that constitute a complete spiral revolution of 
360° and do not begin after a change of sign of x and y are regular cycles. 

Remark 1. Regular cycles always surround the fixed points C + or C~, taking 
them as centers of a growing spiral. 

Remark 2. Irregular cycles usually surround the fixed points C + or C~; but 
sometimes may not surround them, instead the trajectory may pass slightly 
above them in the x — z plane. This phenomenon is illustrated in the Fig. 1(b), 
with system parameters r = 100.3, o = 16 and b = 4 and initial conditions 
x = —1, y = 35.24 and z = 100. 

Definition 2. The attractor eyes are constituted by the two neighborhood 
regions around the fixed points that are not filled with regular cycles. The eye 
centres are the fixed points C + or C~ . 

Definition 3. The eye aperture x a and z a of the variables x and z, for a par- 
ticular time period, is the smallest distance between the maxima and minima 
of \x(t)\ and z(t), respectively, of the regular cycles, measured along this time 
period. 

Figure 2 illustrates the first 2.25 s of another version of the Lorenz attractor 
of Fig. 1(b), folded around the z axis and formed by the projection on the 
x — z plane, in the phase space, of a trajectory portion of z(t) and |#(i)|. The 
trajectory portion drawn with solid thick line is the regular cycle closest to the 
fixed points C ± , from which the eye aperture of x a and z a can be determined. 
The trajectory portion drawn with dashed thick line belongs to the preceding 
irregular cycle. 
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Fig. 2. First 2.25 s of a version of the Lorenz attractor of Fig. 1(b), folded around 
the z axis. The solid thick line trajectory portion is the regular cycle closest to the 
fixed points C ± . The dashed thick line trajectory portion is the preceeding irregular 
cycle. 



2.2 Reduction of the parameters search space 



The geometrical properties of Lorenz system allows for a previous reduction of 
the search space of the r parameter, before carrying out the accurate parameter 
determination, taking advantage of the relation of the system parameter r 
with the coordinates zq+ = Zc- = r — 1 of the fixed points C + and C~ and 
Eq. (3). The estimated value z* G ± of the fixed points coordinates z G + = z c - 
was calculated from the variable z(t) using following algorithm: 

(1) compile a list of all the relative maxima and minima of z(t), 

(2) exclude all the minima belonging to an irregular cycle from the list, 

(3) retain the biggest relative minimum z m i, among the remaining list ele- 
ments, 

(4) select the two maxima Zmi, Zmi immediately preceding and following 
z m ±, respectively, 

(5) calculate the spiral centre as z* c ± = {\zmx + § Z M2 + z m i)/2. 

There is no need to find a rule of growing for the spiral radius, since the optimal 
values of the two weights of z M1 and zm2, m the preceding z@± formula, can 
be determined experimentally. 
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Fig. 3. Parameter r estimation error, when calculated from the fixed point coordi- 
nate Zq± , for different combinations of system parameters a and b. 

The minima of the irregular cycles were discarded because they are inappropri- 
ate for the fixed point's z coordinate calculation, due to the fact that irregular 
cycles may not take the fixed points as centres. Those cycles are very easy to 
detect from the z(t) waveform: they are the first minima that comes after a 
previous minimum of smaller value. 

Figure 3 illustrates the relative error when the value of r is estimated as 
r* = Zq± + 1, for values of r* ranging from the critical value r* = r c to 
r* = 120, in increments of Ar* = 1, for 15 different combinations of system 
parameters, a = (6,10,13,16,20) and b = (2,8/3,4); the analyzed time was 
200 s of the z(t) waveform. As can be seen, the maximum relative error spans 
from —0.23% to +0.3%. In this way, when trying to guess the value of r from 
the waveform of z(t), the effective search space may be reduced to a narrow 
margin of less than 0.6% of the computed value r* = z* c ± + 1. 

The presence of moderate noise added to the z(t) waveform did not affect the 
precision of the measure. Some tests were carried adding either white gaussian 
noise or sinusoidal signals, of a level 30 db below z(t). The resultant relative 
error in the guess of r* was still inferior to ±0.2%, for o = 16 and b = 4. But 
for not so moderated values of added noise the increase of relative error was 
noticeable; i.e. when the noise reached a value of 20 db below z(t) the relative 
error raised to about ±1%. 

The search space of a* can also be delimited. Assuming that r > r c , b > 
and a > 0, it follows from Eq. (3) that: 

>a 2 + (b + 3 - r)a + r(b + 1) > a 2 + (3 - r)a, (4) 

that yields a very conservative margin of0<er<r — 3. 
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Fig. 4. Lorenz attractor formed by the projection on the x r — z plane, in all cases 
the drive parameter are the same: a = 16 and r = 45.6; but response parameter 
values are different: (a) a* = a, r* = r; (b) a* = a, r* = 45.61; (c) a* = 15.65, 
r* = r; (d) a* = 15.65, r* = 45.61. 

2.3 Accurate parameter determination 



Once the search space of the parameters is fixed, a homogeneous driving syn- 
chronization based procedure can be implemented to determine the approxi- 
mate values r* and a* with any desired accuracy. For this purpose, the response 
system described by Eq. (2) was used. 

When the synchronizing signal is fed to the response and the parameters of 
both systems agree, i.e. r* = r and a* = a, the variables x r and y r follow the 
drive signals x and y with a scale factor that depends on the initial conditions. 
If the parameters of both systems do not agree, i.e. r* ^ r and/or a* ^ a, the 
variables waveforms of drive and response systems will differ absolutely, even if 
the initial conditions are the same. After a few system iterations, all waveforms 
generated with different parameters values are nearly alike, but as the number 
of iterations grow, the waveforms generated with different parameter values 
begin to diverge, due to the conditional positive Lyapunov exponent of the 
drive-response configuration. For large number of iterations, even the smallest 
difference in parameters values leads to a serious disagreement of drive and 
response waveforms. 

Figure 4 shows the double scroll Lorenz attractor formed by the projection 
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on the x r — z plane when four possible cases of parameter coincidence are 
considered. In Fig. 4(a) both parameters of drive and response systems are 
equal. It can be seen that the attractor is similar to the illustrated in Fig. 1(a), 
being the difference the disagreement in the horizontal scale due to different 
initial conditions, it can be also observed that the attractor eye is quite open. In 
Fig. 4(b) one parameter coincides, but the other differs: a = a* = 16, r = 45.6 
and r* = 45.61, it can be seen that eye aperture has diminished considerably 
with respect to the former case. In Fig. 4(c) the coinciding parameter is r = 
r* = 45.6, the differing one is a = 16 and a* = 15.65, it can be seen that the 
eye aperture has diminished even more. Finally, in Fig. 4(d) both parameters 
differ r = 45.6, r* = 45.61, a = 16 and a* = 15.65, it can be seen that 
the eye is completely closed, i.e. the eye x-aperture x a is negative. Similar 
measures were carried out for a great variety of drive parameter values with 
identical results. When the differences between the true parameter values and 
the guessed values r — r* and a — a* are big, the eye aperture closes after very 
few cycles, but for progressively diminishing differences between parameters 
the number of cycles needed to obtain a closing eye are increasing. 

The value of the eye x-aperture x a of the variable x r (t) was computed for 
many sets of parameters values. It was found in all cases that its maximum 
value was reached when r* = r and a* = a. For these parameter values the 
variables x and x r are completely synchronous but differ only in a propor- 
tionality factor. Hence the maximum eye aperture is an excellent numerical 
criterium for evaluating the synchronism between drive and response systems. 

The eye x-aperture x a of the variable x r (t), was calculated with the following 
algorithm: 

(1) compile a list of all relative maxima and minima of abs(x r (£)), 

(2) exclude all the maxima belonging to an irregular cycle from the list, 

(3) retain the smallest relative maximum xm X i among the remaining maxima, 

(4) select the biggest minimum x m i, among all the minima, 

(5) calculate the eye aperture as x a = xmi — x mi- 



3 Application to cryptanalysis of a multiplexed two-channel pro- 
jective synchronization cryptosystem 

After their research in PS, Xu and Li proposed a secure communication scheme 
based on PS chaotic masking [14], that was shown to be breakable by filtering 
and by generalized synchronization using the feedback of the plaintext recovery 
error [19]. 

In a recent article Wang and Bu [13] proposed a new encryption scheme also 
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based on PS. Following [17], the state vector of a partially linear system of 
ordinary differential equations was broken in two parts (u, z) . The equation 
for z(t) was nonlinearly related to the other variables, while the equation for 
the rate of change of the vector u was linearly related to u through a matrix 
M that may depend on the variable z(t). It was employed a sender system 
(u s , z), a receiver system (u r , z), and an auxiliary system (u c , z) defined as: 

u s = M(z)-u s , z = f(u s ,z), 

ii r = M(z) ■ u r , (5) 
ii c = M(z) ■ u c , 

where u s = (x s ,y s ), u r = (x r ,y r ), and u c = (x c ,y c ). When PS takes place 
lim^oo ||u s — au r || = 0, being a a constant depending on the initial conditions 
of u r (0) and u s (0). 

The ciphertext s(t) was defined as a composition in function of time of the 
shared scalar variable z(t) and the scalar variable x s (t), described as: 

\ x s (t), nAt < t < nAt + St, 
s(t) = < (6) 
\z(t), nAt + St < t < (n + l)At, 

being n = (0, 1,2,...), while At and St are two time intervals so that St -C At. 

The ciphertext plays the double roles of the driving signal for chaos synchro- 
nization between the sender and receiver, by means of z(t), and the message 
carrier through x s (t). 

It is supposed that the plaintext message i(t) was previously discretized in 
time, in the form of a string of bits or a string of samples, i n . In the first 
case, the bits are coded as +1 or — 1. In the second case, the analog signal is 
sampled at a rate of 1/e samples per second, where e is the sampling period. 

The encryption of a plaintext i(t) was achieved as follows: at the beginning 
of each time interval At, during a much shorter time interval St, the sender 
system vector u is forcibly modified in the following way: 

u s (t„) = i n u c (t n ), (7) 

and at the end of the time interval St the entire system was let freely evolving 
until the beginning of the next time period At. 

Figure 5 illustrates the waveform of the ciphertext. It can be seen that s(t) is 
a discontinuous signal that agrees most of the time with the function z(t), but 
jumps to the value of x s (t) during a small time interval St every At seconds. 

The function z(t) was easily recovered, at the receiver end, by filtering out 
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Fig. 5. Ciphertext s(t), for At = 0.2 and St = 0.01 (solid line) and scalar variable 
x s (t) (dotted line). 

the spikes. The final signal distortion is negligible due to the short spike time 
length St related to their repetition period At. 

To recover the plaintext, instead of using the signal x s (t), which is not available 
at the receiver end, the average value of the spikes x s (t) for nAt < t < nAt+St 
was employed. Thanks again to the fact that St <C At, it can be considered 
that x s (t) is a good approximation of x s (t). 



The recovered plaintext i' n (t) at the receiver end was calculated as: 

X~s(tn) Ds{tn) 



Xritn) Vritn) 



(8) 



If the initial conditions of the auxiliary system and the receiver system are 
identical, the original plaintext and the retrieved plaintext will agree: i' n (t) = 
i n (t). However, if the initial conditions are different, the retrieved plaintext 
will be not equal, but proportional, to the original plaintext: i' n (t) = ci n (t). 
Due to PS between the sender and receiver, here c is a constant. 

For practical purposes, the present system is a two-channel communication 
system, with the particularity that both channels, one continuos and another 
sampled, are transmitted in a multiplexed way and separated at the receiving 
end. 

In [13, §3] an example was presented using similar sender-receiver circuits 
to the ones described in [21], based on the Lorenz system, see Eq. (1), with 
parameter values: 

a = 16.0, r = 45.6, b = 4.0, At = 0.2, St = 0.01, e = 0.001. (9) 

It was shown that an absolute error of Ar* = 0.001 in the value of the receiver 
parameter r* leads to a plaintext recovery failure, and it was asserted that 
a similar deviation in the receiver parameter a* value has the same effect. 
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Hence, although not clearly stated by the authors of [13], it can be estimated 
that in this cryptosystem the parameter values play the role of secret key. In 
every cryptosystem, the key should be completely specified [22]. 

The authors of [13] claimed that this method has some remarkable advan- 
tages over other chaos-based secure communication schemes, because it is not 
possible to extract the plaintext directly from the ciphertext by means of an 
error function attack, due to the system high sensitivity to the parameter val- 
ues. Moreover, conventional return map attacks exploiting the perturbation of 
the sender dynamics are also avoided, because the modulation procedure only 
affects the initial values of the trajectories in the phase space. 

3. 1 System parameters recovery procedure 

In the system proposed in [13], the variable z(t) was extracted at the receiver 
end from the ciphertext s(t) and used to achieve the receiver synchronization. 
This fact allows mounting an attack against the system parameters, whose 
values can be accurately determined. 

In our simulation, the same sender used in [13] was employed as a drive system, 
described by Eq. (1). As the intruder's receiver the response system described 
by Eq. (2) was used. The same sender parameters of the authors' example were 
used. The initial conditions of the sender were arbitrarily chosen as x s (0) = 40, 
y s (0) = 40, z(0) = 40, because in [13] there was no details about them. The 
initial conditions of the intruder's response system were arbitrarily chosen as 
x r (0) = 70, y r (0) = 7. 

The adequate searching ranges for the parameters r* and a* were determined 
as follows: applying the algorithm described in the Section 2.2 to 200 s of 
the z(t) waveform, it was found that the fixed point z coordinate was z* c ± = 
44.5943, that corresponds to r* = 45.5943 (very close to the true value r = 
45.6); hence a practical search range of r* going from r* = 45.50 to r* = 45.70 
was selected, equivalent to an error allowance ranging from —0.23% to +0.2%, 
compliant with Fig. 3. The search space of <r*, according to Eq. (4), should be 
comprised in the range < a* < 42.70. 

Figure 6 illustrates the r* and a* determination method using the procedure 
described in S. 2.3, that is accomplished in five steps. In the first step, the 
eye aperture of the receiver x r variable was measured along a period of 25 
s, equivalent to 55 periods of z(t). The measure was made for each of the 
210 different sets of parameter values obtained varying r* from r* = 45.50 to 
r* = 45.70, in increments of Ar* = 0.05, and a* from cr* = 1 to a* = 42, 
in increments of Act* = 1. The result is illustrated in Fig. 6 (a). It can be 
seen that for most combinations of parameter values the aperture is negative, 
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Fig. 6. Intruder receiver eye aperture x r for various measure periods: (a) 25 s; (b) 
80 s; (c) 250 s; (d) 800 s; (e) 800 s 



i.e. the corresponding parameter values are far from the right value; the best 
values for a* are comprised between a* = 15.5 and a* = 16.5, while the best 
values for r* are comprised between r* = 45.55 and r* = 45.65. Those values 
are taken as the search limits for the next step. The mesures were done, in 
the second, third and fourth steps, during periods of 80 s, 250 s and 800 s 
respectively, the results are depicted in Figs. 6(b), 6(c) and 6(d). 
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If the available ciphertext was unlimited, the next measure step could be 
done over a period longer than 800 s until the desired parameter precision 
could be reached. But let us suppose that there is no more than 800 s of 
available ciphertext. In that case, the only choice is to constrict the search 
space around the last best result obtained, with a growing resolution, until 
a situation is reached in which it becomes impossible to decide which is the 
best parameter value. The Fig. 6 (e) illustrates this situation, it was obtained 
keeping the last measure period of 800 s, but narrowing the search space 
around the last best result obtained. It can be seen that the discrimination 
limit of the identification method was reached for that period of measure, 
because multiple peaks gave approximately the same eye aperture of x a ~ 9.2. 
The four peaks of greater amplitude suggest four sets of equally plausible 
potential candidates of response system parameter sets, one of them is the 
right one = r = 45.60000, o"q = a = 16.00000, the other three are slightly 
inexact, they differ in the seventh significative digit from the right value: r* = 
45.59997, a\ = 15.99999; r* = 45.60003, a* 2 = 15.99996 and r* = 45.60004, 
a* = 15.99992. 

The Figs. 7(a), 7(b) and 7(c) illustrate the 800 first seconds of the waveform 
of x r (t) plotted against x(t), for the tree inexact system parameter sets. It can 
be seen that the x r (t) and x(t) waveforms are perfectly correlated in all the 
three cases despite of the parameter values little inexactitude. The different 
initial conditions are the cause of the initial transitory, that lasts only 0.5 s 
and of the different scale amplitudes of the waveforms. This means that any of 
the four potential candidates of response system parameter sets may be used 
indistinctly to generate the x r (t) waveform without noticeable error, for the 
limited time period that was considered for their determination. 

For practical purposes, a limited precision in the determination of the pa- 
rameters is not a shortcoming, because the degree of coincidence of the eye 
apertures x a \ and of x a2 of two waveforms of Xnit) and Xj 2 (t), corresponding 
to two different sets of response system parameters, is a measure of the degree 
of coincidence between both waveforms. This means that if two sets of slightly 
different response system parameters have the same eye apertures, computed 
along a limited time period, the corresponding waveforms are practically equal 
during this time. 

On the contrary, the parameter values of Fig. 7 (d) correspond to the example 
of [13], with parameter values r\ = 45.601 and a\ = 15.999, that undergo 
a guessing error on the fifth significative digit. Such error was considered in 
[13] unacceptable for correct plaintext recovery. Effectively, it can be seen in 
Fig. 7 (d) that x r (t) and x(t) waveforms are not correlated at all. 

If a greater precision in the parameter determination is needed, the period of 
measure could be accordingly enlarged. The maximum allowable precision is 
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Fig. 7. First 800 s of the intruder receiver phase portrait, for various sets of re- 
sponse system parameters: (a) r* = 45.59997, a* = 15.99999; (b) r* = 45.60003, 
a* = 15.99996; (c) r* = 45.60004, a* = 15.99992; (d) r* = 45.601, a* = 15.999. 



limited by the lifespan of the intercepted communication. To get an infinite 
precision an infinite measure period time will be needed. The first steps take 
very small time to compute, because the involved number of samples is short, 
but the last step is much more time consuming, because the involved number 
of samples is very large. 



When dealing with very long encrypted messages it may be unpractical to 
expand the parameter computation time to the whole message length, because 
the computation time may become huge. It is better to divide the message in 
fractions of not more than the equivalent of 1000 s of the Lorenz system, and 
repeat the parameter determination procedure for each fraction. In that way 
it may happen that the found parameters will be different for each message 
fraction. 



Once the best values of r* and a* are determined, the plaintext can be retrieved 
in the same way as the legal key owner does. 
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4 Application to cryptanalysis of a two separated channels projec- 
tive synchronization cryptosystem 



In a recent paper Li and Xu [14] proposed a secure communication scheme 
based on PS chaotic masking. They illustrated the feasibility of the scheme 
with two examples, one of them was based on the Lorenz system, with sender 
variables x s (t),y s (t) and z(t). The transmitted signals were the Lorenz sys- 
tem shared scalar variable z(t) and the ciphertext signal, defined as U(t) = 
x s (t) + y s (t) +m(t), where m(t) was the plaintext. The retrieved plaintext was 
calculated by the authorized receiver as m{t) = U (t) — (x r (t) +y r (t))/a, where 
a is the PS scaling factor and x r (t), y r {t) are the variables generated by the re- 
sponse system. The authors claimed that the lack of knowledge of the value of 
a by an intruder was an important feature to assure the information security. 
In their example the system parameter values were {a, r, b} = {10,60,8/3}, 
the scaling factor was a = 5 and the plaintext was the sound signal coming 
from a water flow, of unknown frequency spectrum and about 0.2 units of 
amplitude, i.e. approximately 0.005 times the amplitude of x r {t) + y r {t). 

We simulated this cryptosystem with arbitrarily chosen sender initial condi- 
tions x s (0) = 3, y s (0) = 3, z(0) = 20 because there was no details about them 
in [14]. The intruder response system initial conditions were chosen equal to 
corresponding sender initial conditions times the desired scaling factor a = 5, 
that is: x r (0) = 15 and y r (0) = 15. As plaintext message was chosen the func- 
tion m(t) = 0.2 sin(27r 30 t), i.e. a low frequency tone of similar amplitude to 
the authors example. 

To break this scheme the same determination procedure described in the prece- 
dent section was employed. First, using the algorithm of Sec. 2.2, it was found 
that the fixed point z coordinate was z* c± = 58.9766, that corresponds to 
r* = 59.9766 (very close to the true value r = 60); hence a practical search 
range of r* going from r* = 59.8 to r* = 60.2 was selected, equivalent to an er- 
ror allowance of ±0.33%, compliant with Fig. 3 error margins. The search space 
of cr*, according to Eq. (4), should be comprised in the range < a* < 57. 

Figure 8 illustrates the first and fifth steps of the r* and a* determination 
procedure, that was accomplished with the same method described in the 
precedent section. In the first step, the eye aperture of the receiver x r variable 
was measured along a period of 8 s, varying r* from r* = 59.8 to r* = 60.2, 
and a* from a* = to a* = 57. The result is illustrated in Fig. 8 (a). As 
in the previous section it was supposed that the available ciphertext had a 
length of 800 s. In Fig. 8 (b) it can be seen that the discrimination limit of the 
identification method was reached for that period of measure, giving multiple 
peaks approximately the same eye aperture. 
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Fig. 8. Intruder receiver eye aperture x r for various measure periods: (a) 8 s, with 
r* = 59.8 to r* = 60.2; (b) 800 s, with r* = 59.9999 to r* = 60.0001. 

The four peaks of greater amplitude suggest four sets of plausible potential 
candidates of response system parameter sets. The greatest of them, with an 
eye aperture x a o = 37.25, is the right one: r$ = r = 60, ctq = a = 10; the three 
following candidates, in descending order of eye aperture, are slightly inexact, 
differing in the seventh significative digit from the right value: r\ = 59.99999, 
a* = 10.00002 (x al = 37.23); r* = 60, a* = 10.00001 (x a2 = 37.18); and 
r* = 60, a* = 9.99998 (x a3 = 37.15). 

The determination of the approximated value of the scaling factor a* may be 
achieved by dividing, sample by sample, a time period T of the ciphertext by 
the corresponding period of response system sum of variables and taking the 
average along that time period: 

a , _ Jx~(t) + y s (t) + m(tj \ 
V x r {t)+y r {t) ) 
_ ( x a (t)+y 8 (t) \ 1 m(t) ~T 
" \x r {t) + y r {t) J \x r (t)+y r (t)J 

where f(t) denotes the temporal average of f(t) over a period T. In the case 
that m(t) has zero mean, as in the example given in [14], the last quotient 
vanishes since m(t) is independent of x r (t) + y r (t), while the mean of the 
first quotient of Eq. 10 reveals the value of a*. This simple procedure may be 
slightly inexact due to divide-by-cero problems, so the low amplitude samples 
were eliminated and the following algorithm was used to determine a* with 
more accuracy: 
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Fig. 9. Last second of plaintext, (a) Original message. Retrieved plaintext for four 
sets of response system parameters: (b) r\ = 60, a\ = 10; (c) r\ = 59.99999, 
a\ = 10.00002; (d) r* = 60, a* 2 = 10.00001; (e) r 



60, a* 3 



9.99998. 



(1) select a collection of samples of x r (t) and y r {t), corresponding to the 800 
first seconds of the waveform, 

(2) calculate the maximum value M x+y of the collection of \x r (t) + y r (t)\ 
samples, 

(3) compile a list of all the exact sampling times tj s for which \x r (tj S ) + 
y r (tj S )\ > 0.3 M x+y and count the number of them ns, 

(4) calculate the scaling factor as a* = E Mtjs)+vr(t jB ) ^ 

TIS ^ U yjjs ) 

The result was a* = 5.000038, for all the four parameter sets previously iden- 
tified, which represent a relative error of 7 x 10 -6 related to a, that will affect 
the recovering of m{t) adding a negligible noise of 63 db below its amplitude. 

The retrieved plaintext was then calculated as: 



*U\ TT( + \ X r(t)+Vr(t) . , /.x X r (t) + y r (t) , , 

m(t) = U{t) = x s {t) + y s {t) + m(t) (11 



a* 



c\-' 
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The Fig. 9 illustrate the plaintext waveform between the seconds 799 and 
800 of the the original message m(t) and four recovered messages m*(t), for 
the four system parameter sets previously identified. It can be seen that the 
retrieved waveform corresponding to the first and second set of intruder re- 
ceiver parameters is completely equal to the original plaintext, while the third 
and fourth parameters sets cause a small distortion of the retrieved plaintext; 
note that the distortion increases as the eye aperture goes down, as expected. 
Nevertheless any of the four potential candidates of response system parame- 
ter sets may be used indistinctly to gain access to the encrypted information 
without significant error, for the limited time period that was considered for 
their determination. 



5 Simulations 

All results were based on simulations with MATLAB 7, the Lorenz integration 
algorithm was a four-fifth order Runge-Kutta with an absolute error tolerance 
of 10 -9 , a relative error tolerance of 10 -6 , and a sampling frequency of 400 
Hz. 



6 Conclusion 

This work describes a novel Lorenz system parameter determination proce- 
dure, based on the measure of some attractor geometrical properties, with 
the help of a homogeneous driving synchronization mechanism. The method 
is applicable to the cryptanalysis of a two-channel chaotic cryptosystem that 
uses the variable synchronization signal, allowing for the system se- 

cret key recovery and evincing that such systems are not suitable for secure 
communications. The method is not applicable to break two-channel chaotic 
cryptosystems that use the variable x or y as a synchronization signal. 
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